image
Researchers have uncovered a surveillance campaign, dating back to at least 2013, which has used a slew of Android surveillanceware tools to spy on the Uyghur ethnic minority group. The campaign uses four Android surveillanceware tools, dubbed SilkBean, DoubleAgent, CarbonSteal and GoldenEagle. The purpose of these tools is to gather and exfiltrate personal user data to attacker-operated command-and-control (C2) servers. “Many samples of these malware tools were trojanized legitimate apps, i.e., the malware maintained complete functionality of the applications they were impersonating in addition to its hidden malicious capabilities,” said Lookout security researchers Apurva Kumar, Christoph Hebeisen and Kristin Del Rosso, in a Wednesday analysis. The malware families were used in a widespread campaigns that originated in China, which predominantly targeted Uyghurs, but also, to a lesser extent, Tibetans. The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in other spyware attacks, including by an ActionSpy campaign seen as recently as June. Researchers believe that the Uyghurs were being targeted due to the titles of the apps through which they were spread, and the in-app functionality of the spyware samples. Such titles include “Sarkuy” (Uyghur music service), “TIBBIYJAWHAR” (Uyghur pharmaceutical app) and “Tawarim” (Uyghur e-commerce site). Researchers say, the surveillance apps in the campaign were likely…

Source

image
Email is in crisis. Despite massive advancements in perimeter and endpoint defenses, email remains a cybersecurity weak link for many companies. Why? Email is at the heart of everything we do online. It’s an essential line of communication for one-on-one and group conversations, both business-to-business and business-to-consumer. It’s used for account activation, service registration, password resets, invoicing, purchase verification, opt-in confirmations, loyalty clubs, and identity verification. Adding to risk factors is the fact that a record number of employees are working from home. This is an environment where workers are more distracted and using less-secure networks and hardware. This is why it’s so critical to verify that the emails that land in your inbox are trustworthy and safe. Consider recent inbox attack trends. Phishing attacks are increasingly mutating fast, shifting tactics and lures constantly. One campaign hijacks the World Health Organization’s identity and offers dubious tips and dangerous links to COVID-19 resources. A message from an unknown sender appears as a personal note from one of your friends. Emails from “your CEO” ask for gift card donations to a charity. “Urgent” invoices from trusted “business partners” contain misleading bank information for wire transfers. Evading Existing Defenses The problem is that attackers have learned how to get through email security at all three defensive layers currently in use by most organizations: the…

Source

image
Microsoft has quietly pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library. Windows Codecs Library handles how the OS compresses large multimedia files such as photos and videos, and then decodes them for playback within applications. The out-of-band updates, addressing a critical-severity flaw (CVE-2020-1425) and important-severity vulnerability (CVE-2020-1457), were sent out via Windows Update Tuesday night and affect several versions of Windows 10 and Windows Server 2019. Both vulnerabilities allow for remote code execution “in the way that Microsoft Windows Codecs Library handles objects in memory,” according to the updates. CVE-2020-1425, if exploited, could allow an attacker to execute arbitrary code, while CVE-2020-1457 can be exploited to allow a bad actor to obtain information that would further compromise the user’s system. Both flaws can be exploited if users of affected systems open corrupted media files within applications that use the native Windows Codecs Library. Microsoft included a complete list of the Windows 10 and Windows Server distributions affected in its advisories, which offered little in terms of specific detail on the flaws. The company did say, however, that there are no mitigations or workarounds for the vulnerabities. Affected customers need to take no action to receive the update, as they will be automatically updated by Microsoft Store, according to the company. Alternatively,…

Source

image
A rare new ransomware strain targeting macOS users has been discovered, called EvilQuest. Researchers say the ransomware is being distributed via various versions of pirated software. EvilQuest, first discovered by security researcher Dinesh Devadoss, goes beyond the normal encryption capabilities for run-of-the-mill ransomware, including the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems. EvilQuest samples have been found in various versions of pirated software, which are being shared on BitTorrent file-sharing sites. While this method of infection is relatively unsophisticated, it is common for other macOS malware variants – including OSX.Shlayer – “thus indicating it is (at least at some level) successful,” according to Patrick Wardle, security researcher with Jamf, in a Monday analysis. While Devadoss found the ransomware purporting to be a Google Software Update package, Wardle inspected a ransomware sample that was being distributed via a pirated version of “Mixed In Key 8,” which is software that helps DJs mix their songs. Another sample was analyzed Tuesday by Thomas Reed, director of Mac and mobile with Malwarebytes, in a malicious, pirated version of Little Snitch. Little Snitch is a legitimate, host-based application firewall for macOS. The malicious installer was found available for download on a Russian forum, dedicated to sharing torrent links. “The legitimate…

Source

image
Bug-bounty programs have become a popular way for vendors to root out security flaws in their platforms, attracting talented white-hats with the promise of big rewards. According to HackerOne’s 2020 List of the Top 10 Bug Bounty Programs on its platform, Verizon Media, PayPal and Uber are in the elite group. “These top 10 programs are setting the standard for how transparency breeds trust in security in collaboration with a team of diverse hackers from across the globe,” HackerOne CTO and co-founder Alex Rice said in an emailed statement. “At HackerOne, Default to Disclosure is one of our values. And while this isn’t a mandate for our customers and hackers, it is something we encourage every customer to think about. By sharing where we’re vulnerable, other defenders can learn, friendly hackers can learn, and we’re all safer in the end.” Verizon Media tops the list with $9.4 million paid out since it started its program in 2014, with its top bounty coming in at $70,000. It saw surging success this year, with awards all the way up from $1.8 million in the life of its program. That’s only one of several notable changes from the 2019 rankings. Also new for 2020, PayPal outstripped Uber, taking on the No. 2 position and relegating the ride-share giant to third place. That said, PayPal follows as a distant second with Verizon Media in terms of bounty volume (though it’s had less time than Verizon Media to rack up payments). It has so far paid out $2.8 million with $30,000 as its…

Source

image
The APT group known as StrongPity is back with a new watering-hole campaign, targeting mainly Kurdish victims in Turkey and Syria. The malware served offers operators the ability to search for and exfiltrate any file or document from a victim’s machine. The group (a.k.a. Promethium) is operating a series of bogus websites purporting to offer a range of popular software utilities. The tools on offer are trojanized versions of archivers, file-recovery applications, remote-connection applications, security software and more. These include 7-zip, WinRAR archiver, McAfee Security Scan Plus, Recuva, TeamViewer, WhatsApp, Piriform CCleaner, CleverFiles Disk Drill, DAEMON Tools Lite, Glary Utilities and RAR Password Unlocker. The sheer variety of the trojanized applications on offer in the latest campaign is a method aimed at casting a wide net in terms of victims’ interests, according to researchers at Bitdefender in a report released Tuesday. That’s not to say however that the attacks are devoid of targeting. The effort selectively targets victims using pre-defined IP list, researchers said; if the victim’s IP address matches one found in the installer’s configuration file, the attackers can deliver a tainted version of the trojanized application. Otherwise, they deliver a legitimate version. The IPs on the list appear to correspond to Kurdish targets, according to the research. And as with previous StrongPity campaigns, the malware, once installed, has an “exfiltration…

Source

image
The University of California, San Francisco (UCSF) has paid a $1.14 million ransom to recover data related to “important” academic work. The data was encrypted after the NetWalker ransomware reportedly hit the UCSF medical school. The UCSF, which includes a medical school and a medical center (UCSF Medical Center) as well as a graduate division, is a leading institution in biological and medical research. The university said that it first detected a “security incident” in its medical school’s IT environment on June 1. The attackers launched malware that encrypted a “limited number” of servers within the medical school, making them inaccessible. “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” said the university in a recent security update. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.” Threatpost reached out to UCSF for more information about how the cyberattack started and whether they have received a decryption key that works. The cyberattack did not affect the university’s patient care delivery operations, overall campus network, or COVID-19 work, it said. UCSF also said they “do not currently believe” patient medical records were exposed – but are continuing their investigation. “Our investigation is…

Source

image
The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change — and likely for the worse. The economic laws of supply and demand hold just as true in the business world as they do in the cybercrime space. Global lockdowns from COVID-19 have resulted in far fewer fraudsters willing or able to visit retail stores to use their counterfeit cards, and the decreased demand has severely depressed prices in the underground for purloined card data. An ad for a site selling stolen payment card data, circa March 2020. That's according to Gemini Advisory, a New York-based cyber intelligence firm that closely tracks the inventories of dark web stores trafficking in stolen payment card data. Stas Alforov, Gemini's director of research and development, said that since the beginning of 2020 the company has seen a steep drop in demand for compromised "card present" data — digits stolen from hacked brick-and-mortar merchants with the help of malicious software surreptitiously installed on point-of-sale (POS) devices. Alforov said the median price for card-present data has dropped precipitously over the past few months. "Gemini Advisory has seen over 50 percent decrease in…

Source

image
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that foreign hackers are likely to exploit a newly disclosed, critical vulnerability in a raft of Palo Alto Networks firewalls and enterprise VPN appliances, which allows for device takeover without authentication. The Department of Defense (DoD) arm that oversees cyberspace operations has advised all devices affected by the flaw, CVE-2020-2021, be patched immediately. The vulnerability affects devices that use Security Assertion Markup Language (SAML), according to a tweet by the agency. “Foreign APTs will likely attempt exploit soon,” U.S. Cyber Command tweeted. “We appreciate @PaloAltoNtwks’ proactive response to this vulnerability.” Palo Alto Networks on Monday posted an advisory on the vulnerability, which affects the devices’ operating systems (PAN-OS). PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected. Palo Alto already has patched the issue in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3, and all later versions, which is why CISA is urging immediate update to affected devices. The vulnerability basically allows for authentication bypass, so threat actors can access the device without having to provide any credentials. However, hackers can only exploit the flaw when SAML authentication is enabled and the “Validate Identity Provider…

Source

image
Before our current situation, you and your teams may have implemented a comprehensive data protection plan. The scope of change businesses are currently facing is something none of us could have predicted. These changes will continue to impact how we work in the future. How can you be sure your data protection strategy can support this new way of working? It’s a question many organizations are asking. Times of massive change often set the stage for reassessment. At Forcepoint, here are some things we think about when creating or refining any data protection strategy. More employees working remotely most likely means an increased reliance on cloud services and applications. Modern data protection strategies focus on supporting users where they are. That means devising a plan that protects data on-premises and in the cloud; and one that protects data being accessed from multiple hardware devices and a host of new cloud applications. The whiteboard below shows the different channels that need to account for in your data protection strategy. As business evolves the usage and policies around these channels require careful consideration and need to be updated accordingly. With more employees working remotely, some channels such as cloud storage, cloud SaaS (including video conferencing apps), chat/IM, or other collaboration tools will drive more activity while others may stay the same (like email) or perhaps see reduced activity (like printers or USBs). Policies that can be…

Source